Deployment Architecture

distsearch.conf documentation confusion

omeniasty
New Member

Hello Guys,

I am preparing for Splunk Enterprise Admin certification and I am getting a bit confused by the documentation in Splunk docs.

Namely, there are two different statements in distsearch.conf stanza, and not sure which one is the right one.

Splunk/8.1.2/DistSearch/Configuredistributedsearch - here states:

"Add the search peers

To connect the search peers:

1. On the search head, create or edit a distsearch.conf file in $SPLUNK_HOME/etc/system/local.

2. Add the search peers to the servers setting under the [distributedSearch] stanza. Specify the peers as a set of comma-separated values (host names or IP addresses with management ports). For example:

[distributedSearch]
servers = https://192.168.1.1:8089,https://192.168.1.2:8089

Note: You must precede the host name or IP address with the URI scheme, either "http" or "https"."

 

Splunk/8.1.2/DistSearch/Distributedsearchgroups - the other one here states:

"You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

[distributedSearch]
# This stanza lists the full set of search peers.
servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

[distributedSearch:NYC]
# This stanza lists the set of search peers in New York.
default = false
servers = 192.168.1.1:8089, 192.168.1.2:8089

[distributedSearch:SF]
# This stanza lists the set of search peers in San Francisco.
default = false
servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

 

In the first example, it says that "http/https" is required in hostname/IP under servers variable in [distriburedSearch] stanza, the other one omits it and does not say anything about "http/https" as the required value. I am not at the stage of testing this myself yet, so was thinking maybe I can ask here.

 

Thanks in advance 

Labels (3)
0 Karma

omeniasty
New Member

Just worth adding that documentation for "adding search peers" through CLI, Splunk Web says that http/https is required.

Even Splunk Web console when states this info "Specify the search peer as servername:mgmt_port or URI:mgmt_port. You must prefix the URI with its scheme. For example: 'https://sp1.example.com:8089'."

Does it mean that both versions are acceptable or Splunk/8.1.2/DistSearch/Distributedsearchgroups page is wrong?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...